HRS-008 Remote Working Security
Description
Personnel working remotely have documented security requirements covering device security, network access, handling of organizational information outside the office, and reporting of security incidents. Remote workers acknowledge these requirements and receive relevant guidance.
Rationale
Remote working environments cannot be physically controlled by the organization, creating exposure to eavesdropping, device loss, and use of uncontrolled networks. Defined and communicated controls reduce these risks to an acceptable level.
Framework Mappings (4)
| HRS-04 | Remote and Home Working Policy and Procedures | full |
| 6.7 | Remote working | full |
| PS-4 | Personnel Termination | informative |
| CC6.6 | Security Measures Against Threats Outside System Boundaries | partial |
Evidence (2)
Remote working security policy or procedure defining device security, network access, information handling, and incident reporting requirements for remote workers.
Example: Remote Working Security Policy (Confluence / policy management system), covering: approved device types and MDM enrollment requirement, VPN or zero-trust network access requirement, prohibition on use of public Wi-Fi without VPN, handling of paper records at home, and incident reporting for lost devices.
Test: Request the remote working security policy. Verify: (1) device security requirements are specified (e.g. MDM enrollment, full-disk encryption), (2) network access requirements are stated (VPN or equivalent), (3) information handling rules outside the office are included, (4) incident reporting for lost or stolen devices is addressed, (5) the policy is approved and dated within the last 12 months.
Remote worker acknowledgement records confirming all remote-working personnel have received and accepted the remote working security requirements.
Example: Remote working agreement or acknowledgement records from the HRIS or policy platform (BambooHR / Confluence attestation), showing: employee name, acknowledgement date, and policy version for all employees with a remote or hybrid working arrangement.
Test: Export remote working acknowledgement records. Cross-reference against the list of employees with remote or hybrid working arrangements. Verify: (1) all remote workers have a signed or digitally acknowledged agreement on file, (2) acknowledgement pre-dates or is concurrent with start of remote working, (3) any employees without an acknowledgement have an open remediation action.
Questions (2)
Does your organization have documented security requirements for remote working, covering device security, network access, information handling, and incident reporting?
The policy should specify MDM enrollment or equivalent device controls, VPN or zero-trust network access requirements, and a process for reporting lost or stolen devices.
How are remote working security requirements communicated to and acknowledged by remote workers?
All employees with a remote or hybrid arrangement should have a current acknowledgement on file, pre-dating or concurrent with the start of their remote working arrangement.